DarkOwl Vision, our proprietary database of DARKINT content, recently scraped an astounding 562 million new credentials! The dataset is a "combo list" of credentials aggregated from multiple hacked sites, and while the compromised sites are not identified in the files, we can correlate known breaches to many of the passwords.

Attackers find combo lists valuable because they can attempt to brute-force attack valid accounts on other websites. So if an attacker comes across a set of Twitter credentials, he or she can try those same credentials on Facebook and see if that person is reusing their password for that account. These credentials have no attribution, as the hackers don't care where they came from, only how they can be used elsewhere.

We analyzed this new data in an attempt to discern correlations and trends, concluding that a point worth sharing with our followers is what we saw with regards to the passwords.

We pulled the top twenty five passwords from this dataset. Please note that we discarded the site-specific ones like "myspace1," etc. “123456” continues to be the most common password, for what seems like the umpteenth year in a row.

The Top 25

1. 123456

2. 123456789

3. abc123

4. password

5. password1

6. 12345678

7. 111111

8. 1234567

9. 12345

10. 1234567890

11. qwerty

12. 123123

13. iloveyou

14. 000000

15. monkey

16. dragon

17. 123456a

18. tinkle

19. 1q2w3e4r

20. zaq12wsx

21. qwertyuiop

22. a123456

23. 123abc

24. 1qaz2wsx

25. qwerty1

Of all 562 million credentials, these were the passwords that turned up most frequently. If you take a closer look at commonalities, it would seem that there are several methods to creating an entirely insecure password:

A string of numbers (12345, 123123)

A string of characters that fall next to one another on keyboard (1q2w3e4r, qwerty)

The same number repeated multiple times, typically 6-10 times as that is the common password length requirement (111111, 000000)

An animal - mythical animals work as well (monkey, dragon)

Notable outliers: "iloveyou" and "tinkle"

"If you use any variation of these anywhere, change it," our analysts say. Hackers have access to similar datasets and draw the same conclusions we do here. From there, it's only a matter of trying a couple of the above passwords, or using one of the above "formulas," until one of them works.

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.